github actions: Introduce kernel-build-and-test-multiarch-trigger.yml

roxanan1996 · roxanan1996 · commit bc55abcd6739 · 2026-03-20T14:28:21.000+01:00
Separate the workflow into 2:
- trigger (that does not do much, appart from saving params and PR information
metadata)
- and the actual workflow that gets triggered automatically after this workflow
is done.

Needed so we can run this for forked repos. First workflow is "safer" because
it is triggered in the PR context. The second workflow is triggered by
workflow_run which always runs in the base repo context, and it has full
access to secrets (APP_ID, APP_PRIVATE_KEY)

The modified worklow kernel-build-and-test-multiarch.yml will be added later.

Signed-off-by: Roxana Nicolescu &lt;rnicolescu@ciq.com&gt;
diff --git a/.github/workflows/kernel-build-and-test-multiarch-trigger.yml b/.github/workflows/kernel-build-and-test-multiarch-trigger.yml
@@ -0,0 +1,137 @@
+name: Trigger Automated kernel build and test (multi-arch)
+
+on:
+  workflow_call:
+    inputs:
+      architectures:
+        description: 'Comma-separated architectures to build (x86_64, aarch64)'
+        required: false
+        type: string
+        default: 'x86_64,aarch64'
+      skip_kabi:
+        description: 'Skip kABI compatibility check'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  actions: read
+  packages: read
+  # No pull-requests: write needed - we don't comment here
+
+jobs:
+  trigger-kernelCI:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Validate and sanitize inputs
+        id: validate_inputs
+        env:
+          BASE_REF: ${{ github.base_ref }}
+          HEAD_REF: ${{ github.head_ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_COMMITS: ${{ github.event.pull_request.commits }}
+        run: |
+          # Validate base branch name (alphanumeric, dots, slashes, dashes, underscores, curly braces)
+          # Note: hyphen must be at end of character class or escaped to be literal
+          if ! [[ "$BASE_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
+            echo "❌ Invalid base branch name: $BASE_REF"
+            exit 1
+          fi
+
+          # Validate head branch name
+          if ! [[ "$HEAD_REF" =~ ^[a-zA-Z0-9/_.{}-]+$ ]]; then
+            echo "❌ Invalid head branch name: $HEAD_REF"
+            exit 1
+          fi
+
+          # Validate length (prevent resource exhaustion)
+          if [ ${#BASE_REF} -gt 255 ]; then
+            echo "❌ Base branch name too long"
+            exit 1
+          fi
+
+          if [ ${#HEAD_REF} -gt 255 ]; then
+            echo "❌ Head branch name too long"
+            exit 1
+          fi
+
+          # Validate PR number is numeric
+          if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+            echo "❌ Invalid PR number: $PR_NUMBER"
+            exit 1
+          fi
+
+          # Validate commits count is numeric
+          if ! [[ "$PR_COMMITS" =~ ^[0-9]+$ ]]; then
+            echo "❌ Invalid commits count: $PR_COMMITS"
+            exit 1
+          fi
+
+          # Pass validated values to environment
+          echo "BASE_REF=$BASE_REF" >> "$GITHUB_ENV"
+          echo "HEAD_REF=$HEAD_REF" >> "$GITHUB_ENV"
+          echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
+          echo "PR_COMMITS=$PR_COMMITS" >> "$GITHUB_ENV"
+
+      - name: Clone base branch
+        env:
+          BASE_CLONE_URL: ${{ github.event.pull_request.base.repo.clone_url }}
+        run: |
+          # Use environment variables to prevent injection
+          git clone --depth=1 --no-checkout "$BASE_CLONE_URL" -b "$BASE_REF" .
+
+      - name: Fetch PR branch
+        env:
+          HEAD_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
+        run: |
+          # Use environment variables to prevent command injection
+          git fetch --depth=$((PR_COMMITS + 1)) "$HEAD_CLONE_URL" "$HEAD_REF"
+          HEAD_SHA=$(git rev-parse FETCH_HEAD)
+
+          # Validate SHA format (40 hex characters)
+          if ! [[ "$HEAD_SHA" =~ ^[0-9a-f]{40}$ ]]; then
+            echo "❌ Invalid SHA format: $HEAD_SHA"
+            exit 1
+          fi
+
+          echo "HEAD_SHA=$HEAD_SHA" >> "$GITHUB_ENV"
+
+      - name: Verify PR branch isn't on stale base
+        run: |
+          if ! git merge-base --is-ancestor "$BASE_REF" "$HEAD_SHA"; then
+            echo "❌ PR branch must be rebased onto latest base branch commit"
+            exit 1
+          fi
+
+      - name: Save PR metadata for workflow
+        env:
+          HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+          REPOSITORY: ${{ github.repository }}
+          ARCHITECTURES: ${{ inputs.architectures }}
+          SKIP_KABI: ${{ inputs.skip_kabi }}
+        run: |
+          mkdir -p pr_metadata
+
+          # Save validated metadata
+          echo "$PR_NUMBER" > pr_metadata/pr_number.txt
+          echo "$REPOSITORY" > pr_metadata/repository.txt
+          echo "$BASE_REF" > pr_metadata/base_ref.txt
+          echo "$HEAD_REF" > pr_metadata/head_ref.txt
+          echo "$HEAD_SHA" > pr_metadata/head_sha.txt
+          echo "$HEAD_REPO_FULL_NAME" > pr_metadata/head_repo.txt
+          echo "$ARCHITECTURES" > pr_metadata/architectures.txt
+          echo "$SKIP_KABI" > pr_metadata/skip_kabi.txt
+
+          # Create a checksum of metadata for integrity verification
+          (cd pr_metadata && sha256sum *.txt > checksums.txt)
+
+      - name: Upload check results
+        uses: actions/upload-artifact@v4
+        if: always()  # Upload even if checks fail
+        with:
+          name: check-results
+          path: |
+            pr_metadata/
+          retention-days: 3  # Increased from 1 (then 3) to prevent premature deletion and support manual follow-ups
